Manhattan DA calls for backdoors in all mobile operating systems


#1

[Read the post]


#2

Will the Manhattan DA’s office take (legal and financial) responsibility for all damages caused to owners of those mobile devices from identity theft, malware infection, etc. allowed by these back doors?

Didn’t think so. The cake they want to have and eat is a lie.


#3

http://blog.wrecksworks.com/wp-content/uploads/2015/11/2a8kuoz.gif


#4

No, I will not give up my way of life, privacy, and liberty for terrorism or some other childish boogeyman.


#5

Bank vault manufacturers should provide a simple way for the government to bypass their locks as well. I’m sure the details won’t be leaked anywhere and no one will discover the flaw on their own.


#6

I wonder what type of mobile device or devices the Manhattan DA uses. Would he be willing to take the plunge first and start using one with a backdoor? Perhaps someone needs to offer him a phone with a modified OS with such a backdoor and see what he says. What’s good for the public to do should be good for the DA to do, right?


#7

Right! Just like TSA approved locks- the master keys for which are safe and secure.


#8

WARNING! The BS Alert System is at ORANGE!


#9

Awwwww … encryption is making his job too hard … poor, poor DA …

I propose that Americans mail to him a postcard.
Encrypted.


#10

So if you visit the US, do you have to surrender your phone at the border? What about returning from a trip overseas where you bought a phone?


#11

While there are plenty of legitimate reasons for encryption and keeping data private, like for personal security, government doesn’t want us to have it because some people abuse it and do bad things.

Now apply that same argument to guns.


#12

Do people like this even? Let’s start by back-dooring https and TLS, and see how well that goes over with the yee-hawdist crowd ; -)


#13

They keep saying that this is about terrorism, but all I can think of is some government drone sitting in a room, watching my daughter through her smartphone camera.


#14

So, suppose you have an older phone. Now it’s noncompliant - but the law is incumbent not on the user, but on the manufacturer. So you have made a criminal of Apple simply by failing to throw away your iPhone 0.1. Or will the law require manufacturers to break all the old hardware? I suppose it worked with TV…


#15

And what if you cobble together a generic cellular modem module and a Raspberry Pi class machine (the raspi itself is built around a SoC for cellphones), possibly some industrial embedded computer with smaller form factor, and brew your own smartphone? Will it make you a criminal?


#16

They do. It is called a drill. And the same thing (metaphorically) works in crypto.

The stupid burns.


#17

The mere words “cobble together” constitute probable cause.


#18

In effect; bank vault manufacturers, although not intentionally, provide more or less exactly what the DA wants: Bank vaults(to my knowledge) aren’t specifically built with backdoors; but basically the only people who would buy such extravagant doors are banks and similar. And a bank isn’t going to refuse a law enforcement request to open their vault and pull a given customer’s deposit box. If they wish to retain customer goodwill, or discourage the cops from pestering them about every little bullshit thing, they might litigate until their options are exhausted; but if the court tells them to open it, they won’t lose the company to save you.

In the case of bank vaults, the “escrow” effect is just a side effect of the market: vaults are expensive and excessive for most purposes, so only people and organizations with a lot to lose would buy them, which ensures that the guys holding the keys have more to lose by resisting than they do by cooperating.

In the case of computers and phones; the market provides no such quasi-escrow: phones are cheap; and it is frequently the case that the owner of the phone has a great deal more to lose by cooperating than by leaving the phone locked or zeroizing it. Even if you are charged and on trial, it hasn’t been entirely settled whether or not refusing to decrypt is protected by the 5th amendment or not(if it isn’t, contempt of court could be a problem; but if it is, it would be totally legal); and if the cops are just doing a modern-day ‘guy looks like the wrong sort, lets frisk him’, or some three letter agency is playing Total Information Awareness, a suitably encrypted device will pose a problem and they won’t be willing to even go on the record to ask for judicial compulsion to unlock.

What the DA wants is for phone ‘security’ to be less like a bank vault and more like a bank deposit box(where the majority of the security is in the vault door, controlled by an organization that will cooperate with warrants; and the little lock on the box itself is more for ceremony and very, very, weak tamper-evidence than anything else).

His desire is bullshit, for the reasons @doctorow mentions; even if the phone manufacturer omits any cryptographic features by default, they’ll need to build a rootkit/keylogger type malware into the phone in order to keep 3rd party tools from being used for crypto on top of the OS(just as Microsoft can’t really help you with opening someone’s GPG-encrypted file or truecrypt volume unless they are actively sniffing keystrokes and grabbing RSA keys from memory); but the flavor of ‘security’ he wants is actually a very common and familiar one in physical security scenarios, and in a lot of records access/protection situations: he wants to ensure that the gatekeeper is a large enough entity that it will always be in their interest to turn on any individual whose data are stored within their vault.

When the gatekeeper is a company, this is almost always the case. When the gatekeepr is the individual, it isn’t. In many cases, the DA wouldn’t even have a legal avenue to compel an unwilling individual; and for some flavors of evidence, being guilty of destruction of evidence; but beating the original charge would be a very desirable tradeoff.

(It’s actually very similar to some of the legal wrangling that RIM/Blackberry was involved in back when they were relevant: With ‘Blackberry Enterprise Services’, an excitingly expensive and fairly painful piece of software that integrated with your mailserver(by ‘fairly painful’ I mean ‘BES Administrator’ might be a full-time job at the company using BES), your Blackberries were, to the limits of RIM’s abilities, under your organization’s control: all devices enrolled with your BES install would be keyed with material unknown to RIM, generated onsite. For consumer Blackberries, sold through carriers, RIM operated the server and BBS, and was the gatekeeper for those devices, at least BBS and email, not 100% sure about locally-stored files. Most countries more liberal than North Korea tended to tolerate BES; both because not doing so would upset businesses and often parts of their own government; and because BES more or less implied that there was a company, and one or more IT guys, you could lean on if you needed access to a specific Blackberry. Consumer Blackberries were viewed with much greater distrust; because, unless RIM was in your jurisdiction, the fact that they had the keys didn’t help you, and Blackberry traffic was considered pretty resistant to attack(especially BBS compared to SMS, which is pitiful plaintext crap). A number of countries, notably India after the Mumbai attacks, demanded that RIM either establish a domestic subsidiary to handle all locally sold consumer Blackberries or face being forced out of the market.)


#19

@shaddack, @shaddack… Don’t you know that every electronic device that has exposed wires or circuit boards and lacks a branded plastic shell in the colors and ‘design language’ of a suitably major consumer electronics manufacturer is always a bomb?

Have you learned nothing from the news?

Even your suggestions about how such a device might be built could likely be construed as “dissemination of a publication that includes information which is likely to be understood as being useful in the commission or preparation of an act of terrorism” for the purposes of the UK’s Terrorism Act 2006.

Unfortunately, only the first half of this post is in jest.


#20

This is clearly bad, but government can already break past most devices’ weak security. For example, the recent “news” that the NSA has been breaking through encryption for years. Putting in backdoors and weaker encryption just makes it easier.